3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
Size

2.7MB
MD5

0abef5fe35f2e93b59d532736a0e62f0
SHA1

f91ec1ac0c869af35f77740806405ddf2dccec1f
SHA256

3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56
SHA512

32ac89f7faf640af2dab07fe667b0f6100d11b0ad96f1edc7cfccb0f97061b15d536fec97ce33ef09092291f4f3b591246d230089c4e97546fb5901a95230bc5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpj4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvF5\\devdobec.exe"	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax82\\bodasys.exe"	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
2776	devdobec.exe
2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2776	2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe	28
PID 2032 wrote to memory of 2776	2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe	28
PID 2032 wrote to memory of 2776	2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe	28
PID 2032 wrote to memory of 2776	2032	3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe	28

C:\Users\Admin\AppData\Local\Temp\3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe
"C:\Users\Admin\AppData\Local\Temp\3b643ab2f96615da4789f1997117edcd86203251134dd8aad7ea90b3a8323c56.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\SysDrvF5\devdobec.exe
  C:\SysDrvF5\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax82\bodasys.exe

Filesize
36KB

MD5
32fd27eaf88ae725a6e780660eb13a12

SHA1
d20092a4108ec3ce872e5a63b4f84024e0ac70e8

SHA256
8ff6fc7a88a6e5f06b9c55142eb6ca91842dc7447df243e9fe23bd9733d769d2

SHA512
c5b2e36a872165cb028456e6bf6b6854d63e703bbf413f8d04bbc15ed5b17a6f30cc32bab583e9adb7eb5b170f2097e0a31bc3b066b0f084fdcfeab1bbb4b8a0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
57a2da047206bc2ff4c9875284d80cb4

SHA1
f80cbe56f68b3a919129d9c7734f4bb7ba1bc884

SHA256
1da65da701af7d3005b607e46788535bce2ae6fb17a51e565b1ed3726c62ca5d

SHA512
bbd2223b3fc6e3c3d179fca3f22b5ae0616802dab2394ec58462dd8a16e6d310a4e90b22b88984e81d2d99d88b1ae08457e23aa2f1bcd71ef7b626f7eb28f3ed

Download Submit
\SysDrvF5\devdobec.exe

Filesize
2.7MB

MD5
433f6106de2c7caabe151bbb358c928b

SHA1
68ddd0db67596bf860121af1dbb565dfb3c2089c

SHA256
c35756015a0621f82f64a7fde9ec91f08de1c446265a57edc55fbcf1e344e3fb

SHA512
217b21a51a9389ec64a7f06b61f1ba4b45e1c356741e565e1f1e1a929c55b7b0f53cf3308f8476587500e23ac6784a707d40e7fbc745d3f089d43d6573e47695

Download Submit